Last Updated on June 29, 2021
One of the questions we hear most frequently about privacy compliance is, ‘Does my company need a Data Protection Officer?’ What is a DPO? How do you know if you need one? And… where can you find one? With new privacy laws multiplying like rabbits, skilled privacy professionals are in short supply!
On a recent episode of The Virtual CISO Podcast, two of Pivot Point Security’s full-time GRC consultants, Andrew Frost and Aurore Watts, shared some “lessons learned” from our initial ISO 27701 certification experiences with clients. Their conversation included first-hand advice on “the DPO question.”
The new ISO 27701 “privacy extension” enables an ISO 27001 certified business to extend its Information Security Management System (ISMS) to encompass data privacy principles and best practices. Many organizations are considering ISO 27701 certification because they need to comply with major privacy laws like the EU’s GDPR and California’s CCPA.
GDPR mandates a DPO in certain circumstances, but CCPA and ISO 27701 do not. Aurore explains: “GDPR is for all those members countries, but they still have specific requirements based on each member country. So, when you talk about something like a Data Protection Officer, you’re going to have additional requirements based on which countries you are processing data from. But, in general, GDPR has requirements for the DPO job definition, one of which is independence. Your DPO needs to be independent from the corporate decision-making, which is pretty difficult to achieve within a company. Whereas with ISO 27701, we just have to make sure that the privacy responsibilities are assigned; it doesn’t talk about independence.”
Whether or not you need a DPO function for GDPR compliance, it’s recommended that you have legal counsel involved when deciding on privacy matters. Andrew clarifies: “Basically, most of the stuff you’re doing with privacy is contracts. You’re writing things into contracts, like the right to be forgotten or how to contact you to get the PII that you have stored [on a data subject].”
Another reason to have privacy legal advice on tap is that “legal interpretation” is so often required. Show host John Verry, Pivot Point Security’s CISO and Managing Partner, shares: “A client will say to me, ‘Okay, this law requires explicit consent. If somebody gives me a business card at a conference, is that explicit consent? Or do I need to then send them an email with an opt-out clause?’ For so many of the questions that we get asked, the answer is, ‘It depends, and your legal counsel should look at this.’”
“Your legal counsel should definitely be involved in documenting all those contracts, and in making decisions on where the company wants to go,” replies Aurore. “Our job as consultants is to have a lot of interaction with that legal person to understand what they want—and what they want the company to say to their clients and the rest of the world, which is anyone coming to their website.”
The bottom line is that privacy compliance, with its ongoing client contracts, legal interpretations/clarifications and potential DPO obligations, requires notable privacy expertise. Many firms don’t have that skill set on staff, making a virtual DPO provider a valuable adjunct.
“I’m not an attorney, but I sometimes play one on sales calls,” jokes John.
Concerned about your company’s privacy compliance posture? This “lessons learned” conversation with Aurore Watts and Andrew Frost will be great input for your planning.